At LAST: RC4 gets the stake through the heart

Google, Mozilla and Microsoft say 'enough is enough'

One of the security set's most intractable problems is the stubborn endurance of old standards – the kind of thing that left SSLv3 hanging around so that people didn't have to weed out “fallback” code, for example.

Well, at least one of security's code zombies, the insecure and inadequate RC4 crypto algorithm, has been formally abandoned by Google, Mozilla, and Microsoft in coordinated announcements.

The three outfits have agreed to unplug RC4's life-support early in 2016.

Their decision comes a couple of months after yet-another RC4 attack was able to recover RC4-encrypted cookies within 52 hours.

Mozilla says the only variable between Firefox, Chrome and Internet Explorer will be their release cycles.

Mozilla that its defaults will be no-RC4 in version 44 expected in January (but users will still be able to explicitly set a preference if they need it and know what they're doing).

“Disabling RC4 will mean that Firefox will no longer connect to servers that require RC4. The data we have indicate that while there are still a small number of such servers, Firefox users encounter them at very low rates,” the Mozilla note says.

Google says it's going to deprecate RC4 entirely sometime in January or February 2016.

Microsoft is disabling RC4 by default in Internet Explorer and Edge in a similar time-frame. ®


Biting the hand that feeds IT © 1998–2017